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CLAIMS 

1 . A method of verifying the knowledge of a secret number s in a 
prover device (10) by a verifier device (30) having no knowledge of the 

5 secret number, with a zero-knowledge protocol using the Montgomery 
representation of numbers and Montgomery multiplication operations 
therein. 

2. The method of claim 1 in which the zero knowledge protocol 
10 is the Fiat-Shamir protocol. 

3. The method of claim 1 in which the zero knowledge protocol 
is the Guillou-Quisquater protocol. 

15 4. The method of claim 2 including the steps of: 

(i) providing (102) to the verifier device (10) a value \/ = being the 
Montgomery multiplication of the secret number s by itself; 

(ii) computing (106), by the prover device, the value x= rxm r, where r 
is a random number and transmitting the value of xto the verifier device; 

20 (ill) selecting (108), by the verifier device, a challenge value of e from 
the set {0, 1} and transmitting the challenge value to the prover device; 

(iv) computing (110), by the prover device, the value y = rxm and 
transmitting the value y to the verifier device; and 

(v) the verifier device (10) checking the authenticity of the prover's 
25 response according to the values of x, y and v previously received and 

according to the challenge value e. 

5. The method of claim 4 wherein the step of checking the 
authenticity of the prover's response comprises the steps of: 
30 for a challenge value of e = 1 , computing (115) the values of y Xm y 

and vxm xand checking (116) that they are the same; or 
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for a challenge value of e = 0, computing (120) the value of y Xm y 
and checking (121) that it is the same as the previously received value of x. 

6. The method of claim 4 or claim 5 further including the steps of 
5 repeating steps (ii) to (v) for a number of consecutive rounds to confirm the 

authenticity of the prover device. 

7. The method of claim 4 or claim 5 in which the secret number 
s is a Montgomery representation of another number s'l<nown in the prover 

10 device domain but not in the verifier device domain, further including the 
step of computing, by the prover device, the value of sfrom s' according to 
s = sR mod n, where R > n, values of n and R being used by both the 
prover device and the verifier device. 

15 8. The method of claim 4 in which the Montgomery 

multiplications of s Xm s, rxm n and rx^s^ are carried out according to the 
formula a Xm = abR'^ mod n, where R > n, values of n and R being used 
by both the prover device (10) and the verifier device (30). 

20 9. The method of claim 5 in which the Montgomery 

multiplications of y Xm y and s^Xm xare carried out according to the formula 
a Xm ft = abPT^ mod n, where R > n, values of n and R being used by both 
the prover device (10) and the verifier device (30). 

25 10. The method of claim 1 in which all computations In the zero 

knowledge protocol are performed using Montgomery representation of 
numbers and using Montgomery multiplication operations. 



30 



1 1 . The method of claim 3 including the steps of: 
(i) providing (303) to the verifier device a value being the 
Montgomery e^^ power of the secret number s; 
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(ii) computing (306), by the prover device (10), the value x = being 
the Montgomery power of r where r is a random number, and 
transmitting the value of xto the verifier device (30); 

(iii) selecting (308), by the verifier device, a challenge value of c from 
5 the set {0, 1, ... e - 1} and transmitting the challenge value to the prover 

device; 

(iv) computing (310), by the prover device, the value y = r Xm ^ and 
transmitting (31 1) the value y to the verifier device; and 

(v) the verifier device (30) checking the authenticity of the prover's 
10 response according to the values of x, y and previously received 

according to the challenge value o. 

12. The method of claim 11 wherein the step of checking the 
authenticity of the prover's response comprises the step of: 

15 computing (313, 314) the values of and xxm s^^ and checking that 

they are the same. 

13. The method of claim 1 1 or claim 12 further including the steps 
of repeating steps (ii) to (v) for a number of consecutive rounds to confirm 

20 the authenticity of the prover device. 

14. A prover device (10) having contained therein a secret 
number s in Montgomery representation, the device adapted for proving the 
knowledge of the secret number s to a verifier device without conveying 

25 knowledge of the secret number itself, with a zero-knowledge protocol 
using the Montgomery representation of numbers and Montgomery 
multiplication operations therein. 

1 5. The prover device of claim 14 further Including: 
30 means (12) for selecting a random number, r, 

means (11) for computing the Montgomery square of rto obtain x; 
means for transmitting x to a verifier device (30); 
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means (11) for receiving a challenge value, e; 

means (11) for computing the Montgomery product of y = rxm s; and 

means for transmitting y to the verifier device (30). 

5 1 6- The prover device of claim 1 4 further including: 

means (12) for selecting a random number, r, 

means (11) for computing the Montgomery power of rto obtain 

means for transmitting xto a verifier device; 

means (11) for receiving a challenge value, a 
10 means (1 1 ) for computing the Montgomery product of y = rxm s; and 

means for transmitting y to the verifier device. 

17, A verifier device (30) for verifying the knowledge of a secret 
number s in a prover device without knowledge of the secret number itself, 

15 with a zero-knowledge protocol using the Montgomery representation of 
numbers and Montgomery multiplication operations therein. 

1 8. The verifier device (30) of claim 1 7 further including: 

means (31) for receiving the Montgomery square v of the secret 
20 number s; 

means (31) for receiving the Montgomery square, x of a random 
number, r, 

means (31) for transmitting a challenge value, e to the prover 
device; 

25 means (31) for checking the authenticity of the prover's response, y 

according to the Montgomery square of y verified against values of x and / 
or V received from the prover device according to the challenge value, e. 



1 9. The verifier device of claim 1 7 further including: 
30 means for receiving the Montgomery e"* power, ^ of the secret 

number s; 
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means for receiving the Montgomery e"' power, x of a random 
number, r, 

means for transmitting a clialienge value, c to the prover device; 
means (31) for checking the authenticity of the prover's response, y 
5 according to the Montgomery power of / verified against the value of x 
Xm received from the prover device, according to the challenge value, c. 

20. A method of proving the knowledge of a secret number s In a 
prover device (10) to a verifier device (30) having no knowledge of the 
10 secret number, with a zero-knowledge protocol using the Montgomery 
representation of numbers and Montgomery multiplication operations 
therein, comprising the steps of: 

selecting (305) a random number, r, 
computing (306) the Montgomery e*" power of rto obtain x; 
15 transmitting (306) x to a verifier device; 

receiving a challenge value, c, 

computing (310) the Montgomery product of y= r Xm s"; and 
transmitting (31 1) y to the verifier device. 

20 21 . A method of verifying the knowledge of a secret number s in a 

prover device (10) by a verifier device (30) having no knowledge of the 
secret number, with a zero-knowledge protocol using the Montgomery 
representation of numbers and Montgomery multiplication operations 
therein, comprising the steps of: 
25 receiving (103) the Montgomery square vof the secret number s; 

receiving (107) the Montgomery square, xof a random number, r, 
transmitting (108) a challenge value, eto the prover device; 
checking the authenticity of the prover's response, y according to the 
Montgomery square of y verified against values of x and / or v received 
30 from the prover device according to the challenge value e. 



wo 2004/054168 



PCT/IB2003/005335 



18 

22. A method of verifying tlie knowledge of a secret number s in a 
prover device (10) by a verifier device (30) iiaving no [knowledge of the 
secret number, with a zero-l<nowledge protocol using the Montgomery 
representation of numbers and Montgomery multiplication operations 

5 therein, comprising the steps of: 

receiving (303) the Montgomery e*" power of the secret number s; 
receiving (307) the Montgomery e'" power, xof a random number, r, 
transmitting (308) a challenge value, cto the prover device; 
checking (315) the authenticity of the prover's response, /according 
10 to the Montgomery e* power of y verified against the value of x Xm 
received from the prover device according to the challenge value c. 

23. A computer program product, comprising a computer 
readable medium having thereon computer program code means adapted, 

IS when said program is loaded onto a computer, to make the computer 
execute the procedure of any one of claims 1 to 13 and 19 to 22. 

24. A computer program, distributable by electronic data 
transmission, comprising computer program code means adapted, when 

20 said program is loaded onto a computer, to make the computer execute the 
procedure of any one of claims 1 to 13 and 19 to 22. 



